15213 Recitation Section C• Buffer overflow• Putting code onto stackShimin ChenSept. 30, 2002Outline215213 Recitation C Shimin ChenExample 1: Buffer Overflowvoid example1(){volatile int n;char buf[8];volatile int x;n = 0x12345678; x = 0xdeadbeef;strcpy(buf, "abcdefghijk");// a=0x61 b=0x62 ...buf[8] = 0xab;buf[-4] = 0xcd;}Please draw the stack frame of “example1”. What are the values of n and x at the marked points?2. n=? x=?3. n=? x=?1. n=? x=?315213 Recitation C Shimin ChenASM of example10x80483f0 push %ebp0x80483f1 mov %esp,%ebp0x80483f3 sub $0x18,%esp0x80483f6 movl $0x12345678,0xfffffffc(%ebp)0x80483fd movl $0xdeadbeef,0xfffffff0(%ebp)0x8048404 add $0xfffffff8,%esp0x8048407 push $0x80484a80x804840c lea 0xfffffff4(%ebp),%eax0x804840f push %eax0x8048410 call 0x8048308 <strcpy>0x8048415 add $0x10,%esp0x8048418 movb $0xab,0xfffffffc(%ebp)0x804841c mov $0xfffffffc,%eax0x8048421 lea 0xfffffff4(%ebp),%edx0x8048424 movb $0xcd,(%eax,%edx,1)0x8048428 mov %ebp,%esp0x804842a pop %ebp0x804842b ret415213 Recitation C Shimin ChenStack Framepush %ebpmov %esp,%ebpsub $0x18,%espmovl $0x12345678,0xfffffffc(%ebp)movl $0xdeadbeef,0xfffffff0(%ebp)add $0xfffffff8,%esppush $0x80484a8lea 0xfffffff4(%ebp),%eaxpush %eaxcall 0x8048308 <strcpy>add $0x10,%espmovb $0xab,0xfffffffc(%ebp)mov $0xfffffffc,%eaxlea 0xfffffff4(%ebp),%edxmovb $0xcd,(%eax,%edx,1)mov %ebp,%esppop %ebpretold %ebp%ebpReturn addr…nbuf%espx0xfc0xf40xf0515213 Recitation C Shimin ChenBefore Calling strcpy()push %ebpmov %esp,%ebpsub $0x18,%espmovl $0x12345678,0xfffffffc(%ebp)movl $0xdeadbeef,0xfffffff0(%ebp)old %ebp%ebpReturn addr…12 34 56 78%espde ad be ef0xfc0xf40xf0Address highlownbufx615213 Recitation C Shimin ChenAfter Calling strcpy()push %ebpmov %esp,%ebpsub $0x18,%espmovl $0x12345678,0xfffffffc(%ebp)movl $0xdeadbeef,0xfffffff0(%ebp)add $0xfffffff8,%esppush $0x80484a8lea 0xfffffff4(%ebp),%eaxpush %eaxcall 0x8048308 <strcpy>add $0x10,%espold %ebp%ebpReturn addr…00 6b 6a 6968 67 66 6564 63 62 61%espde ad be ef0xfc0xf40xf0nbufxStrcpy (buf, "abcdefghijk”);715213 Recitation C Shimin ChenBefore Returnpush %ebpmov %esp,%ebpsub $0x18,%espmovl $0x12345678,0xfffffffc(%ebp)movl $0xdeadbeef,0xfffffff0(%ebp)add $0xfffffff8,%esppush $0x80484a8lea 0xfffffff4(%ebp),%eaxpush %eaxcall 0x8048308 <strcpy>add $0x10,%espmovb $0xab,0xfffffffc(%ebp)mov $0xfffffffc,%eaxlea 0xfffffff4(%ebp),%edxmovb $0xcd,(%eax,%edx,1)old %ebp%ebpReturn addr…00 6b 6a ab68 67 66 6564 63 62 61%espde ad be cd0xfc0xf40xf0nbufx815213 Recitation C Shimin ChenWhat If …• What if we insteadstrcpy(buf, "abcdefghijklmn");14+1 chars• What if we insteadstrcpy(buf, "abcdefghijklmnopq");17+1 chars• Old ebp is overwritten• Return addr is overwritten915213 Recitation C Shimin ChenExample 2: How to Put Code onto Stack?push %ebpmov %esp,%ebpsub $0x18,%espadd $0xfffffff4,%esplea 0xfffffff8(%ebp),%eaxpush %eaxcall 0x80482e8 <gets>xor %eax,%eaxmov %ebp,%esppop %ebpret int example2 (){char buf[8];gets (buf);return 0;}1015213 Recitation C Shimin ChenSteps1. Write assembly code2. Get binary representation of the code3. Generate ASCII for the binary code4. Run the program with the input1115213 Recitation C Shimin ChenWrite assembly code• Use your favorite text editor• For example,movl $0, -8(%ebp)addl $0x12345678, %eax• Save as *.s, e.g. input.s1215213 Recitation C Shimin ChenGet binary representation of the code• Compile the assembly with gccgcc –c input.s• Display binary representation with objdump:objdump –d input.o• Copy the byte code into a text file1315213 Recitation C Shimin ChenGenerate ASCII for the binary code• Use sendstring to generate ASCII string:sendstring < input.txt > input.raw1415213 Recitation C Shimin ChenRun the program with the input• Run at the command line:example2 < input.raw• Run in gdb:gdb example2run < input.raw1515213 Recitation C Shimin ChenShow Code on the Stack(gdb) break example2(gdb) break *0x80483f6(gdb) run < input.raw(gdb) p/x $ebp – 8(gdb) p/x $ebp + 3(gdb) continue(gdb) disas 0xbffffa40 0xbffffa4b1615213 Recitation C Shimin ChenImportant Dates• Lab 3: due Monday (Oct. 7), 11:59pm• Exam 1: Tuesday (Oct. 8), 6:00–7:30pmDoherty Hall
View Full Document